The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

By Jeremy Lacy and Asher de Metz

No company wants to be like right now. For over four months, the organization has suffered from a PR nightmare thanks to a security breach that compromised the personal information of 70 million customers – and the credit card information of 40 million. According to Fox News, over 100 lawsuits from angry consumers are pending. And, as of February 1, according to both the Wall Street Journal and Huffington Post, direct costs are somewhere in the ballpark of $200 million.

So how can companies protect themselves from falling prey to a similar situation? A good starting place is to become compliant with standards set forth by the PCI Council, an organization that monitors payment card information security and requires companies to meet a certain number of controls.

Being PCI-compliant doesn't always mean that you are safe from a data breach. But there are ways to protect your company...

But here’s the kicker: being compliant won’t necessarily save you from being hacked.

We know that is rough to hear, but requirements are not the same as best practices. Basic prescriptive requirements are often the bare necessities of information security. To truly defend against all-purpose attacks, full information security programs and best practices must be implemented.

The bottom line is hackers are motivated. Think about it. Hackers are extremely motivated to get to your data, especially if you’re a large company. They are focused on their jobs 24/7, because getting into your system can result in a million-dollar (or more!) payday for them. Not only that, but they are constantly upgrading their methods in order to crack your system. They are smart – they know what the regulations and requirements are, and will weasel their way around them every place they can.

Companies, on the other hand, tend to lag behind hackers in their motivation. Sure, they want to protect their data as a matter of doing business and ensuring uptime should a breach occur, but many times their attitudes suggest they see PCI compliance – and data security – as just another item to check off their lists.

Furthermore, companies often implement only required IT security standards and not what is suggested or extra, usually because it will mean expanding their IT budgets beyond what they deem “necessary.” For example, network segmentation – in which payment card information is placed behind a different set of network security devices – is a standard the PCI Council suggests, but does not require. We hate to keep picking on Target, but they did not segment their network; so, once the hackers got past their main firewall, they were able to access all data, including payment card information.

Imagine if Target had taken a few extra steps. It would have saved itself millions in damages, not to mention avoided the loss of its reputation and clients. It may take years for Target to get back to where it was in terms of rebuilding trust in – and receiving business from – its customers.

So what does this mean for companies? In addition to becoming PCI-compliant, how do you avoid becoming like Target? Here are a few steps to consider:

Perform a proper risk analysis. In other words, figure out how at risk you are for being hacked and budget accordingly. Even if an analysis is only performed annually, certain practices associated with the assessment should be ongoing, including ongoing monitoring and maintenance of logs for all critical systems and periodic penetration tests (both external and internal) for your systems environment. Risks will not be the same for every company; minimize risk appropriately for your company size.

Hire a knowledgeable information security team. Make sure you have the right expertise on your team, with people who are able to evaluate each operating system and understand how to fix any breaches in security that might occur. This team should know how to prevent, monitor, and detect breaches, and have reactionary steps in place if someone breaks in. A team like this should also keep its finger on the pulse of what hackers are doing and how they’re changing their tactics.

Implement best practices related to security. These practices include network segmentation, the use of tokenization (a super-duper encryption system that requires a token to cipher data), and password complexity. It also means keeping internal users aware that attacks are happening and that they are, in fact, touching PCI data.

Create a comprehensive security program. Remember, hackers are always watching for weaknesses in your system. Implement a program that covers every angle – and be sure to make PCI a large consideration of that program. In many cases, payment card information is what hackers are after, so don’t let them near your PCI data.

But perhaps the most important step in avoiding Target’s fate is to remain vigilant. Instead of seeing data security as “one more thing” to check off the list, keep an ever-watchful eye on your data. In saying this, we realize it’s a shift in our business culture today. Companies want to believe that being PCI-compliant equates with being safe from hackers. Unfortunately, the hackers won’t let up. And that means, in order to protect your reputation and your bottom line, neither should you.

Jeremy Lacy is a Senior Consultant in Sungard Availability Services Consulting, where he is the SME for the QSA area. Mr. Lacy is a CISA who has worked in the IT Audit world for 9 years and in IT for 16. In his IT Audit career, he has worked as an internal auditor for a Fortune 500 company and an external auditor for a Big Four firm. Mr. Lacy has also served as an IT Project Manager, a Risk Manager, a Business Systems Analyst, a Disaster Recovery Consultant/Specialist, and, for the last three years, an Information Security Consultant. He can be contacted at jeremy.lacy (at) Sungardas (dot) com.

Asher de Metz is the Lead Senior Consultant in Sungard Availability Services Consulting. At Sungard Availability Services, he is the subject matter expert for the Penetration Testing and Web Application Security Testing areas. Mr. de Metz has been in the IT field for 17 years and Information Security for 13. He has worked in a number of top consultancies for premium clients around the world, mainly in Europe, the Middle East and USA. He can be contacted at Asher.deMetz (at) Sungardas (dot) com.